Massive Data Breach Exposes Millions of Sensitive Employee Records Linked to UK-Based Logezy

n a disturbing data security incident, a publicly accessible and unprotected database has exposed nearly 8 million sensitive files, totaling over 1.1 terabytes in size. The database contained highly confidential records including work authorization documents, national insurance numbers, certificates, electronic signatures, timesheets, user images, and government-issued identification documents. The breach raises serious concerns about data protection practices, particularly in sectors handling sensitive personal information.

The Exposure

The database in question was neither encrypted nor password-protected, allowing anyone with the right URL to access the contents freely. It housed 7,975,438 files, many of which were .PDFs and images containing personally identifiable information (PII) of individuals—primarily healthcare workers. Among the exposed records were detailed documents typically required for employment verification and compliance.

Notably, the database contained 656 directory entries, each indicating different organizations—most of which were healthcare providers, recruitment firms, or temporary staffing agencies. This suggests the breach affected not only one company but potentially hundreds of third-party entities relying on the same digital infrastructure for workforce management.

Link to Logezy

Analysis of the database name and internal file structures strongly suggest that the data belonged to Logezy according to the report, a UK-based company providing cloud-based staff management software. Logezy markets its platform as a comprehensive solution for managing temporary and permanent employees, offering features such as compliance tracking, payroll integration, timesheet logging, and digital documentation through both desktop and mobile platforms.

While the database clearly involved records associated with Logezy, it remains unclear whether the database was directly managed by the company or hosted by a third-party contractor on its behalf. The ambiguity around the database’s ownership adds another layer of concern, especially when it comes to accountability and regulatory compliance under laws such as the UK GDPR.

Timeline and Response

The security researcher who discovered the exposed database acted swiftly, issuing a responsible disclosure notice to Logezy. Shortly thereafter, the database was taken offline and is no longer publicly accessible. However, the duration of exposure remains unknown, and there is currently no public confirmation of whether other unauthorized parties accessed the data during the period it was available.

To determine the extent of potential misuse, an internal forensic investigation would be required. Such an audit could identify any signs of suspicious activity, external downloads, or manipulation of the exposed files. So far, Logezy has not issued an official public statement about the breach or whether affected individuals and organizations have been notified.

Sector-Specific Impact

Despite Logezy claiming to support a wide range of industries, the sample of exposed files viewed by the researcher appeared to pertain exclusively to the healthcare sector. This raises concerns about the concentration of affected individuals in a high-risk and high-regulation field where data privacy and trust are paramount.

Healthcare workers often handle highly sensitive tasks and operate under rigorous compliance standards, making the exposure of their personal and professional documents particularly troubling. The breach could have significant implications not only for individual privacy but also for organizational integrity and patient care.

This incident underscores the critical need for companies handling personal data to enforce robust cybersecurity practices, especially when operating cloud-based platforms that manage large volumes of sensitive information. Unencrypted and publicly exposed databases remain a common yet entirely preventable vector of data leaks.

Whether due to oversight or misconfiguration, this breach highlights how digital efficiency must never come at the cost of security. Organizations that fail to protect user data not only face reputational damage but also potential legal and financial penalties.

Until more details are made public—either by Logezy or through regulatory investigations—millions of healthcare workers and the companies that employ them remain uncertain about the extent of their exposure and the possible consequences.